[knot-dns-users] Manage zonefile directory in git

Ondřej Surý ondrej.sury at nic.cz
Mon Jan 4 17:27:07 CET 2016


----- Original Message -----
> From: "Tobias Brunner" <tobias at tobru.ch>
> To: "Jan Včelák" <jan.vcelak at nic.cz>
> Cc: knot-dns-users at lists.nic.cz, "Ondřej Surý" <ondrej.sury at nic.cz>
> Sent: Monday, January 4, 2016 4:20:38 PM
> Subject: Re: [knot-dns-users] Manage zonefile directory in git

> Hi Jan,
> 
> Thanks a lot for your input.
> 
>> Beware, this is very tricky.
>> 
>> Knot tries to apply the changes from journal on top of the zone file. For
>> this purpose, it uses the zone SOA serial as the only indicator of zone
>> version. Nothing else.
>> 
>> If you give Knot DNS a zone file with serial X, assumming DNSSEC signing
>> enabled, the server will update the zone with serial X+1. The difference
>> between X and X+1 is written into the journal. Another resigning will
>> increase the serial again. And so on.
>> 
>> So if your zone file still contains serial X, but the journal contains much
>> newer version (let's say X+10), and you decide to change the zone file, you
>> *must* set the newer serial in the zone file at least to X+11. Otherwise,
>> your zone will get inconsistent because Knot will try to apply the changes
>> in journal on top of the updated zone.
>> 
>> What's more, we obviously cannot reuse valid signatures from the journal
>> when the journal get's out-of-sync from the zone. It's cheaper to resign
>> the zone.
>> 
>> Also, zonefile-sync to -1 just disables periodical flushing of the journal.
>> The journal can be still flushed when it's full.
>> 
>> So having the zones in git including signatures is actually a good solution.
>> Just saying...
> 
> Is there a feature in Knot where I can leave out the serial and just put a
> placeholder there? So that Knot manages the serial by itself? Knot could then
> f.e. look at the timestamp of the zonefile to decide if it needs to update the
> zone serial (f.e. unix timestamp) and reload the zone.

You can just use

`serial-policy: unixtime` for just that (the actual SERIAL in the zone is irrelevant)

> Are there any other suggestions how to manage zonefiles in Git when using
> DNSSEC? Is it a problem when replacing the zonefile every time with an unsigned
> one and let Knot resign the whole zone, or zones, because with a git reset all
> zonefiles will be replaced by the original files? Looks like this would cause a
> lot of troubles because of the automatic serial increment when signing a zone.

It's not a problem with `unixtime` serial policy.

> Setting zonefile-sync to -1 seems not to be a great idea in production...

Depends on your requirements or workflow.  Clearing the journal at every zone update (or when it grows too much) and restarting the server should work fine (after some testing in your environment).  But then it would be same as `knotc flush <zone>  && git fetch && git checkout HEAD -- <zonefile> && knotc reload`; the zone would get resigned on every git checkout

Cheers,
--
 Ondřej Surý -- Technical Fellow
 --------------------------------------------
 CZ.NIC, z.s.p.o.    --     Laboratoře CZ.NIC
 Milesovska 5, 130 00 Praha 3, Czech Republic
 mailto:ondrej.sury at nic.cz    https://nic.cz/
 --------------------------------------------


> General question: How are others managing zonefiles besides in Git?
> 
> Cheers,
> Tobias


More information about the knot-dns-users mailing list